Test

<font color="#ff9900" face="Arial, Helvetica, sans-serif" size="3">
Hub-and-Spoke VPN using NETGEAR VPN Firewalls</font></b></p>
<p>This
describes how to configure NETGEAR ProSafe VPN Firewalls in a
hub-and-spoke VPN system, as might be used in a headquarters with many
branch offices. Routers FVS318v2, FVS318v3, FVS338 and FVX538 are used
with the firmware shown in the table below. The process applies
generally to all NETGEAR VPN routers.</p>
<p><b><font color="#2462af">Hub-and-Spoke Example</font></b></p>
<p>In this example, three branch offices (the "spokes") connect to a central office (the "hub") over
VPN links:</p>
<p><img src="http://kbserver.netgear.com/images/1499_1.gif" border="1" height="201" width="464"></p>

<p>Each
branch office makes a VPN connection to the central office. Over these
VPN connections, the LAN computers at each branch office can reach the
LAN computers at the central office and, through there, can reach the
LAN computers at the other branch offices.</p>
<p>In this example, each LAN uses a private IP address in which the first two octets are the same for
all four LANs (192.168.x.x). The third octet is different for each LAN. These are the WAN and the LAN addresses:</p>
<table border="1">
<tbody><tr align="center">
<th>Router</th>
<th>Model</th>

<th>Firmware</th>
<th>WAN IP</th>
<th>LAN IP</th>
<th>LAN Netmask</th>
</tr>
<tr align="center">
<td>Central (Hub)</td>

<td>FVX538</td>
<td>1.6.40</td>
<td><a href="http://10.1.1.1/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.1.1.1</a></td>
<td><a href="http://192.168.1.1/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.1.1</a></td>
<td><a href="http://255.255.255.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.0</a></td>
</tr>

<tr align="center">
<td>Branch 1 (Spoke)</td>
<td>FVS318v2</td>
<td>2.4</td>
<td><a href="http://10.12.12.12/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.12.12.12</a></td>
<td><a href="http://192.168.12.1/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.12.1</a></td>

<td><a href="http://255.255.255.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.0</a></td>
</tr>
<tr align="center">
<td>Branch 2 (Spoke)</td>
<td>FVS318v3</td>
<td>3.0_20</td>
<td><a href="http://10.3.3.3/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.3.3.3</a></td>

<td><a href="http://192.168.3.1/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.3.1</a></td>
<td><a href="http://255.255.255.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.0</a></td>
</tr>
<tr align="center">
<td>Branch 3 (Spoke)</td>
<td>FVS338</td>
<td>1.6.35</td>

<td><a href="http://10.2.2.2/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.2.2.2</a></td>
<td><a href="http://192.168.2.1/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.2.1</a></td>
<td><a href="http://255.255.255.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.0</a></td>
</tr>
</tbody></table>
<p>In each spoke router, you configure a VPN tunnel to the hub with <font color="Red">a destination netmask of <a href="http://255.255.0.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.0.0</a></font>,
indicating that all 192.168.x.x addresses can be reached through the tunnel to the hub. At the hub, we will
configure separate tunnels to each spoke with destination netmasks of <a href="http://255.255.255.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.0</a>. The tunnels from the hub
will have <font color="Red">source netmasks of <a href="http://255.255.0.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.0.0</a></font>, indicating that hosts from any 192.168.x.x address can access the
tunnel to the spoke.</p>

<p>Note that 192.168.10.x should not be used because this network is reserved for the FVX538's DMZ.</p>
<hr>

<p><b><font color="#2462af">Configuring Branch 1: The FVS318v2 Spoke Router</font></b></p>
<p>To configure the tunnel to the hub from the FVS318v2, use the VPN Wizard to create the
VPN policy.</p>
<ol><li>Go to the <b>VPN Wizard</b> menu and click <b>Next</b> to begin a new VPN policy.</li><li>For Connection Name, type something descriptive such as <b>toFVX</b>.</li><li>Enter the <b>Pre-Shared Key</b> to use between this router and the hub router.</li><li>Select connect to <b>A remote VPN Gateway</b>.</li><li>Click <b>Next</b> to go to Step 2.</li><li>Enter the hub router's <b>WAN IP address</b> (or <b>Fully Qualified Domain Name</b>).</li><li>Click <b>Next</b> to go to Step 3.</li><li>Enter the hub router's <b>LAN IP address</b> and set the Subnet Mask to <b><a href="http://255.255.0.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.0.0</a></b>.</li><li>Click <b>Next</b> to go to the Summary screen, then click <b>Done</b> to complete the policy.</li><li>Go to the <b>VPN Settings</b> menu, select the policy you just created, and click <b>Edit</b> to
examine the settings. The policy screen below appears, but with your IP addresses:</li></ol>

<blockquote><img src="http://kbserver.netgear.com/images/1499_5.gif" border="1" height="656" width="415"></blockquote>
<hr>

<p><b><font color="#2462af">Configuring Branch 2: The FVS318v3 Spoke Router</font></b></p>
<p>To configure the tunnel to the hub from the FVS318v3, you can use the VPN Wizard to create the
VPN policy.</p>
<ol><li>Go to the <b>VPN Wizard</b> menu and click <b>Next</b> to begin a new VPN policy.</li><li>For Connection Name, type something descriptive such as <b>toFVX</b>.</li><li>Enter the <b>Pre-Shared Key</b> to use between this router and the hub.</li><li>Select to connect to <b>A remote VPN Gateway</b>.</li><li>Click <b>Next</b> to go to Step 2.</li><li>Enter the hub router's <b>WAN IP address</b> (or FQDN).</li><li>Click <b>Next</b> to go to Step 3.</li><li>Enter the hub router's <b>LAN IP address</b> and set the Subnet Mask to <b><a href="http://255.255.0.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.0.0</a></b>.</li><li>Click <b>Next</b> to go to the Summary screen, then click <b>Done</b> to complete the policy.</li><li>The VPN Policies screen displays. Select the policy you just created, and click <b>Edit</b>
to examine the settings. The policy screen below appears, but with your IP addresses:
<p><img src="http://kbserver.netgear.com/images/1499_3.gif" border="1" height="683" width="551"></p>

</li><li>Go to the <b>IKE Polices</b> menu, select the policy you just created.</li><li>Click <b>Edit</b> to
examine the settings. The policy screen below appears, but with your IP addresses:
<p><img src="http://kbserver.netgear.com/images/1499_4.gif" border="1" height="603" width="461"></p>
</li></ol>
<hr>

<p><b><font color="#2462af">Configuring Branch 3: The FVS338 Spoke Router</font></b></p>

<p>To configure the tunnel to the hub from the FVS338, follow the same steps as shown in the preceding
section.</p>
<hr>

<p><b><font color="#2462af">Configuring the Central Office: The FVX538 Hub Router</font></b></p>
<p>At the hub router, configure a tunnel to each of the three spoke routers. Use the
VPN Wizard to create each VPN policy, then edit it with a slight change to each VPN Policy. In the VPN
Policy, you must change the Subnet Mask of the Local IP Traffic Selector from <a href="http://255.255.255.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.0</a> to
<a href="http://255.255.0.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.0.0</a>. This is an example of creating the tunnel to Branch 2:</p>
<ol><li>Go to the <b>VPN Wizard</b> menu and click <b>Next</b> to begin a new VPN policy.</li><li>For Connection Name use a descriptive name such as <b>toFVS318v3</b>.</li><li>Enter the <b>Pre-Shared Key</b> to be used between this router and Branch 2.</li><li>Select to connect to <b>A remote VPN Gateway</b>.</li><li>Click <b>Next</b> to go to Step 2.</li><li>Enter the Branch 2 router's <b>WAN IP address</b> (or <b>Fully Qualified Domain Name</b>).</li><li>Click <b>Next</b> to go to Step 3.</li><li>Enter the Branch 2 router's <b>LAN IP address</b> and set the Subnet Mask to <b><a href="http://255.255.255.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.0</a></b>
(not <a href="http://255.255.0.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.0.0</a>).</li><li>Click <b>Next</b> to go to the Summary screen, then click <b>Done</b> to complete the policy.</li><li>The VPN Policies screen displays. Select the policy you just created, and click <b>Edit</b>.</li><li>Under <b>Traffic Selector</b>, <b>Local IP</b>, change the Subnet Mask to<b> <a href="http://255.255.0.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.0.0</a></b>. The policy screen below appears, but with your IP addresses:
<p>

<img src="http://kbserver.netgear.com/images/1499_2.gif" border="1" height="711" width="486"> </p>
</li><li>Go to the <b>IKE Polices</b> menu, select the policy you just created.</li><li>Click <b>Edit</b> to
examine the settings. The IKE policy below appears, but with your IP addresses:
<p><img src="http://kbserver.netgear.com/images/1499_6.gif" border="1" height="686" width="483"></p>
</li><li>Repeat this procedure for each of the other two spokes.</li></ol>
<hr>

<p><b><font color="#2462af">Testing the Connection</font></b></p>
<ol><li>From a PC on the LAN of any branch, test by continuously pinging a PC on the central office's LAN. There
should be a response within 30 seconds.</li><li>From the same branch PC, test by continuously pinging a PC on the LAN of any other branch.
There should be a response within 30 seconds.</li></ol>
<p>(Note that the FVS318's VPN status does not change to 'active' until traffic has actually been sent across the VPN connection.)</p>

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License